Pages

Friday, December 21, 2012

The recent cyber attacks upon India have proved once
again that we need to pay more attention to cyber
security in India. Cyber security in India is required not
only to protect sensitive information stored in the computers of
strategic Indian departments and ministries but also to safeguard the
present and future critical
infrastructure of India.

There is no second opinion that national
security policy of India is required and cyber security is
an essential and indispensable part of the same. The sooner we
formulate and adopt the same the better it would be for the larger
interests of India.

Cyber
security in India has not received the attention of Indian
policy makers. As a result India has witnessed many sophisticated
cyber security attacks against its computer systems operating at
crucial departments and places from time to time. Even the terrorists
are using technology to further their nefarious objectives in India.
The problem is that Indian government, like any other government, is
not capable of tackling cyber security issues single handedly. It
needs private sector support to achieve this task.

It is obvious that India is finding it difficult to
gather necessary cyber security expertise and this is resulting in a
weak cyber security. Fortunately, private initiatives like CSRTCI are
bridging the much needed gap of cyber security in India. The centre
is providing techno-legal solutions for areas like cyber law, cyber
security, cyber forensics, cyber
terrorism, cyber espionage, critical
ICT infrastructure protection, cyber war, etc. It is also
providing techno-legal solutions for Indian projects like CCTNS,
Natgrid,
NCTC,
etc.

However, the most important and crucial achievement
of the CSRTCI is that it has an “Exclusive
Techno-Legal Software Repository” and research
literature. It also has expertise for “aggressive defence” and
human rights protection in cyberspace. In short, it is a single place
destination for the techno-legal cyber security and allied fields.

The government of India and private sector of India
must concentrate upon cyber security as soon as possible. Further,
there is an emergent need to make proper amendments in the otherwise
impotent, weak and ineffective cyber law of India. The increasing
cyber crimes in India is also attributable to the “welcoming law”
of India incorporated in the information technology act 2000 that
instead of deterring the cyber criminals is in fact encouraging them
to indulge in cyber crimes.

Cyber security
of India is ailing
from various drawbacks. As a result India has not been able to fully
capatilise the benefits of cyber security. There is no doubt about
the proposition that cyber
security in India must be improved urgently.

Although
everybody talks about improving cyber security in India yet none
provides the formula to do so. The safest and surest formula to
strengthen Indian cyber security is to formulate an effective and
robust cyber
security strategy and policy of India.

If the essential public
services are made electronic without ensuring robust cyber security,
it would be a nightmare for India, warns Dalal. The government must
ensure a strong cyber security for the infrastructure providing
electronic delivery of services to Indian citizens, suggests
Dalal.

National cyber security of India has to cover a long
distance before we can call ourselves a reasonably cyber safe nation.
India must increase cyber
security readiness with adaptive threat management. Further,
India must also ensure cyber due diligence compliances and cyber
security audits, incidence response and threat analysis, first
responder’s utilisation and other similar practices to ensure
efficient cyber security practices.

Thursday, December 20, 2012

Cyber security field requires dedicated and
collaborative efforts on the part of various stakeholders. Cyber
Security In India also requires such collaborative efforts
where public private partnership (PPP) can be really handy.

Cyber
Security Issues In India are too much and too complicated
to be managed by a single organisation or individual. At Perry4Law’s
Techno Legal Base (PTLB) we believe that cyber security is
a techno legal field that requires techno legal expertise. We also
believe that we must develop both Offensive And Defensive Cyber
Security Capabilities In India.

Keeping these cyber security mandates in mind, PTLB
has been operating the exclusive techno legal Cyber
Security Research Centre Of India (CSRCI) and NCSDI is an
integral part of the same. We hope the Cyber Security Projects And
Initiatives Of PTLB would prove useful to all concerned.

The NCSDI would consist of techno legal cyber
security experts of India who should be enrolled with PTLB in this
regard. Those interested in enrolling with NCSDI must read the
enrolment
criteria for the same.

NCSDI would also be an essential part of various
cyber security initiatives and projects of Indian government and
private cyber security players of India and abroad.

NCSDI is a very ambitious and much needed initiative
of PTLB that deserved support and collaboration of Indian government
and various cyber security stakeholders. Let us see how NCSDI and
CSRDI would strengthen the cyber
security environment of India.

Many
legal experts in India have opined that India
must not use software as a service (SaaS), cloud
computing, m-governance, etc till proper legal frameworks and
procedural safeguards are at place. Even the CEOs of many companies
are apprehensive of using cloud computing for their companies
businesses.

Even if a company or individual offers cloud
computing services in India, it/he has to comply with many legal
provisions and cyber
due diligence requirements. The information technology act
2000 (IT Act 2000) has prescribed due diligence requirements for
various business organisations and stakeholders. These due diligence
requirements equally apply to cloud computing service providers in
India.

These due diligence requirements are very stringent and
cloud computing providers can find themselves in legal hassles if
they ignore the same. Managing sensitive and personal data and
information in India is no more a causal approach but it
has become very stringent.

With the proposal to
codify law of torts in India, more and more civil proceeding for
violation of privacy rights may be initiated against the cloud
computing service providers. It would be a wise option to establish
best practices and cloud computing policy by all stakeholders in
their own larger interests.

Human
rights protection in cyberspace in India is also required
to be considered by Indian government. Presently, protecting civil
liberties protection in Indian cyberspace is not a priority for India
and this is a serious problem.

Cyber
Law Due Diligence and Cyber
Security Diligence in India are two fields that are not
taken seriously by Stakeholders and Intermediaries of India. Under
the Information Technology Act 2000 (IT Act 2000) there are many “Due
Diligence Requirements” that Banks, Internet Service Providers
(ISPs), Search Engines, E-Commerce Portals, etc must fulfill.
However, by and large these Due Diligence Requirements are seldom
followed till some “Criminal Prosecution” takes place.

This
“Mindset” needs to be changed in India. The Cyber Law of India
has express provisions that provides for both Civil and Criminal
Liabilities for “Non Observance of Due Diligence”. Once these
provisions are attracted, the concerned Person or Institutions has to
defend himself/itself in a Court of Law.

In India there is a
lack of awareness about both Cyber Law of India as well Cyber Law Due
Diligence Requirements in India. This is the main reason why Cyber
Law Due Diligence has not been upto the requirements and
expectations.

Of all stakeholders, Intermediaries must pay
special attention to Cyber Law Due Diligence Requirements of India.
Intermediaries like ISPs, Cyber Café owners, Web Hosting Service
Providers, Blogging Platforms, etc have to take care of issues
pertaining to Cyber Law, Cyber Security, Defamation Laws,
Intellectual Property Rights (IPRs) Violations, etc.

A special
care must be taken of the Online Copyright issues that are
increasingly posing problems for Intermediaries. The liability
of Internet Intermediaries for Copyright Violations is an
issue that should be taken very seriously. With Laws like Digital
Millennium Copyright Act (DMCA) and similar Laws, this liability has
become very onerous.

“Take Down Notices” for Copyright
Violations in the Cyberspace are very common these days. The moment a
take Down Notice is communicated to the Intermediary, it becomes
imperative on its behalf to take appropriate action. Further, the
“Long Arm Jurisdiction” makes the applicability of National Law
Extra Territorial. Even the Cyber Law of India has Extra Territorial
Applicability.

Perry4Law
and Perry4Law’s
Techno Legal Base (PTLB) “Strongly Recommends” that
all Stakeholders and Intermediaries must put in place Robust and
Effective Due Diligence Mechanisms at their places. This would not
only help them in preventing Crimes and Cyber Crimes but would also
protect them from various Civil and Criminal Liabilities as well.

Although, RBI has been taking many far reaching and
important steps yet e-banking in India still very risky. Of late,
cases of phishing
and banking frauds have increased tremendously in India.
Further, cyber
due diligence of banks in India is still a far dream. Even
the directions of RBI to appoint CIOs and steering committees on
information security have
not yet been implemented.

Indian banks are poor
at cyber security policy formulation and its implementation. Cyber
Security Policy is an issue that is very important for Banks of
India, says Praveen Dalal, managing partner of New Delhi base ICT law
firm Perry4Law
and leading cyber law expert of India. With the growing use of
Internet Banking, ATM machines, Credit and Debit Cards, Online
Banking, etc, Banks of India must also upgrade their Cyber Security
Infrastructure and establish a Cyber Security Policy, suggests
Dalal.

RBI must rigorously implement the directions and
suggestions made in the report of working group. Without stringent
actions, the report would never be actually and practically
implemented by Indian banks.

Although the direction to have CIOs and
Steering Committee is very clear yet till now banks in India has
failed
to comply with this direction. Perry4Law
and Perry4Law’s
Techno Legal Base (PTLB) have been analysing these issues
for long and they have been providing their suggestions in this
regard. We believe that RBI must play a more pro active role in
analysing whether its Policies and Recommendations are duly complied
with. It seems the Recommendations of the Working Group constituted
by RBI have still
not been implemented. A “Progress Report” must be
sought from Banks of India in this regard by RBI as soon as possible.

Tuesday, December 18, 2012

The Reserve Bank
of India (RBI) is taking cyber security of banking industry very
seriously. RBI has been stressing that banks in India are required to
ensure cyber due diligence and cyber
security due diligence. However, the banks in India have still
not done the needful in this regard even though the first
quarterly report in this regard is due on 30th June, 2011.

Perry4Law
and Perry4Law Techno Legal Base (PTLB)
welcome this initiative of RBI and congratulate the working group for
coming out with good guidelines.

National
Intelligence Grid (NATGRID) Project of India is one of the most
ambitious Intelligence Gathering Project of India. It has been
launched at a time when the Intelligence
Infrastructure of India is in a bad shape.

The recent
decision of a Government Panel rejecting
the proposal to ban Encryption Service Providers like Blackberry,
Gmail, Skype, etc has further made the task of Intelligence Agencies
of India more tedious. Since the E-Surveillance option has gone now
they have to acquire Techno
Legal Intelligence Gathering Skills to deal with sophisticated
and encrypted communications.

Meanwhile
similar Security and E-Surveillance Projects have also been launched
by Indian Government. These include Projects like Central Monitoring
System of India (CMS),
Centre for Communication Security Research and Monitoring (CCSRM),
Aadhar
Project of India, Crime and Criminal Tracking Network and Systems
(CCTNS), National Counter Terrorism Centre (NCTC),
etc. Once again, all these Projects are without any Legal
Framework and Parliamentary Oversight.

To make the matter
worst, the Law Enforcement Agencies and Intelligence Agencies of
India are also practically not
governed by any Legal Framework and Parliamentary Oversight.
Whether it is Central Bureau of Investigation (CBI)
or Intelligence
Agencies of India, none of them are presently “Accountable”
to Parliament of India.

India has formulated
a Crisis Management Plan for its Cyberspace. However, like other
Policies and Strategies in India, it has not been implemented in true
letter and spirit. Even the basic level Cyber
Security Preparedness in India is not up to the
mark.

Menaces like cyber terrorism and cyber warfare
cannot be effectively tackled till we have both offensive and
defensive cyber security capabilities. Further, cyber
crisis management plan of India must be urgently
formulated and effectively implemented so that cyber terrorism can be
prevented in India.

The threats of cyber attacks, cyber espionage and
cyber terrorism are looming large at India. India needs to understand
the seriousness of cyber attacks upon its critical infrastructures
and cyberspace. To start with, India must formulate a crisis
management plan to tackle cyber attacks, cyber terrorism and cyber
espionage attempts.

Crisis
management plan (CMP) is a measure of readiness to meet
uncertainties and future risks and accidents. If we have a good
crisis management plan at place, we can minimise the damage and harm
to maximum possible extent.

Similarly, we must also formulate a cyber
security policy for India. With more and more networks and
computers are now connected with public utilities and essential
public services, cyber security assumes great significance these
days. India is also looking forward for mandatory electronic delivery
of services. This would increase the risks of cyber attacks upon
crucial public delivery systems of India.

The government of
India has issues certain guidelines to safeguard Indian cyberspace.
According to these guidelines no sensitive information is to be
stored on the systems that are connected to Internet. The Government
has also claimed to have formulated Crisis Management Plan for
countering cyber attacks and cyber terrorism for implementation by
all Ministries/ Departments of Central Government, State Governments
and their organizations and critical sectors.

The
organisations operating critical information infrastructure have been
advised to implement information security management practices based
on International Standard ISO 27001. Ministries and Departments have
been further advised to carry out their IT systems audit regularly to
ensure robustness of their systems. Ministry of External Affairs has
also issued a comprehensive set of IT security instructions for all
users of MEA and periodically updates them on vulnerabilities.

Although the steps taken by Indian government are
praiseworthy, they are not sufficient to ward off the sophisticated
cyber attacks. The practical implementation of the crisis management
plan of India is still missing. With a beginning already taken place,
it needs a political will to give it a final shape and help it to
reach its final destination.

Keeping in mind the cyber attack angle, he also
added four additional members, including a cyber-security expert in
this panel making it a seven member’s panel. It is obvious that
India is excluding any possible cyber intrusions and cyber attack
upon the power grids that may have resulted in blackout.

India has been
facing serious cyber threats these days. These include threats from
cyber espionage, cyber terrorism, cyber warfare, etc. Even social
networking sites and cloud computing applications have come under
cyber
attacks.

Although cyber crimes and cyber threats have
increased significantly in India yet cyber crimes prevention and
network security in India are still far
from perfect. India’s preparedness to tackle growing cyber
crimes and cyber attacks is not proper and we do not have any cyber
law policy in India.

In fact, cyber attacks and cyber
terrorism preparedness of India is missing at all. Cyber
terrorism is a concept that is closely related to national
security and cyber security of any nation. While the definition and
nature of cyber terrorism is still debatable yet none can doubt about
the use of information and communication technology (ICT) for
attacking crucial computer systems of others, says Praveen Dalal,
managing partner of Perry4Law
and CEO of Perry4Law’s
Techno Legal Base (PTLB).

Realising the importance of
cyber security and a defense against cyber terrorism, countries all
over the world are streamlining their defense networks. Some have
merged their traditional armed forces defenses with technology driven
security while others have established a separate and dedicated cyber
security segment for themselves. India also needs good techno-legal
cyber security for its defense
forces.

We have launched a centre for
protection of
human rights in cyberspace that is covering the issues pertaining
to protection of critical ICT infrastructure in India, prevention of
cyber terrorism in India, cyber espionage in India, defense against
cyber war in India, etc. The centre would also provide suggestions
and methods to prevent e-surveillance by governmental as well as
non-governmental persons and organisations, informs Dalal.

Time
has come when India must seriously take issues like cyber security,
cyber terrorism, cyber war and other rallied issues. We need both
policy level as well as legislative measures to make Indian
cyberspace robust and secure. On the legislative side, we must enact
strong cyber laws and on the policy side we must enact suitable cyber
security policy of India and cyber
crimes policy of India.

Till now India lacks initiatives
on both these fronts. The present cyber law of India has decayed
and it needs must urgently be repealed.
The information technology act 2000 is not serving much purposes
these days and it must be replaced by a more effective and strong
cyber law. Let us hope that Parliament of India would do the needful
in the forthcoming session.

Mobile banking in India is moving towards an
acceptance level. However, till now very few people and institutions
are comfortable in using mobile banking in India. Mobile
banking in India is still not popular according to RBI.
There are certain shortcomings of mobile banking in India that are
still left unaddressed.

Even on the policy front, mobile banking has
received a bad response form Indian government. For instance, absence
of effective encryption
laws in India and non use of robust encryption in India
has made the mobile security very weak in India. Instead of making
the encryption
requirements redundant and weak, India must concentrate
upon further strengthening the same for better and secure mobile
communications. Governments of most developed countries allow the
usage of strong encryption standards ranging from 128 bits to 256
bits or more to ensure the security of sensitive information
exchanged via Internet and other networks. However, India
is still clinging to 40 bits encryption standards for the
simple reason that intelligence and security agencies of India are
not capable enough to break strong encryptions.

A weak mobile
banking infrastructure would also affect other projects and schemes
as well. For instance, recently the Securities and Exchange Board of
India (SEBI) has declared about its intentions to introduce
electronic
initial public offer (E-IPO) in India. This is a good step
but E-IPO cannot succeed in the absence of strong mobile banking and
Internet banking infrastructure. Online payments mechanisms in India
must also be suitable strengthened to make such proposals
workable.

India must give these considerations some serious
thoughts if it wishes to encash the benefits of technology.
Otherwise, concepts like Internet banking and mobile banking are more
nuisance than luxury in India.

Banking industry of India is passing through a
transformation age. From technological upgradations to enacting new
regulatory norms, banking sector of India is all set for a big
change. However, this change is also very demanding and challenging
in terms of legal obligations and technological knowledge. Banks in
India are finding it difficult to cope with both.

Cyber security is an issue that is very important
for India. With the growing use of Internet banking, ATM machines,
credit and debit cards, online banking, etc, banks of India must also
upgrade their cyber security infrastructure.

Reserve Bank of
India (RBI) has taken some very pro active steps in this regard. RBI
has made it mandatory
to appoint chief information officers (CIOs) and steering committees
on information security at the board level at the earliest. The
intentions are good and so must be their implementations.

Cyber
security cannot be used by banking and financial sectors of India
till it is systematically
used by them. For that a dedicated cell or wing must be
established that can take care of issues pertaining to cyber law,
cyber security, cyber forensics, cyber due diligence, etc.

Although
there are numerous such due diligence requirements yet banks and
financial institutions must consider the cyber security aspects on a
priority basis. Indian banks and financial institutions are
increasingly facing cyber crimes pertaining to banking industry.
Further ATM frauds, credit card cloning, phishing attacks against
banks and financial institutions, etc are also on rise.

Further
data
security and privacy issues are other areas of concern for
banks and financial institutions of India. They must consider data
security and privacy issues of their customers very seriously
otherwise they would be violating the due diligence requirements
under various law, especially the cyber law of India. Data security
and privacy in Indian banking industry requires immediate attention
of RBI.

RBI is already working hard in these directions and
its is a matter of time before banks and financial institutions of
India would be mandatorily required to ensure strong cyber security,
effective data protection and stringent privacy protection of their
customers.

In the recent times, there is an increasing stress
upon cyber
security at the international level. This is so because
cyber attacks are happening at the international level and all the
countries are facing this threat.

A
national critical information infrastructure protection centre
(NCIPC) of India has been proposed. It intends to ensure critical
infrastructure protection and critical ICT infrastructure protection
in India.

There are few prerequisites that can make the NCIPC
of India successful. Firstly, there must be a centralised
ICT command centre of India that can coordinate various
cyber security issues. Secondly, specialised agencies and authorities
must be constituted for critical infrastructure areas like power,
telecom, defense, etc. These agencies and authorities must coordinate
with the centralised command centre for cyber security related
issues.

For too long Indian
parliament has been ignoring its crucial legislative business and it
is high time for Indian parliament to do the needful in this regard.
Contemporary techno
legal issues cannot be left at the mercy and indifference
of Indian parliament and Indian government as that may have serious
adverse effects upon Indian economy and national security of India.